Driver's Privacy Protection Act of 1994
Citation Driver's Privacy Protection Act of 1994 (DPPA), Pub. L. No. 103-322, Tit. XXX, 108 Stat. 2099 (1994), codified as amended, 18 U.S.C. §§ 2721-25. Overview Prior to 1997, in many states the easiest way for an individual to get another person’s identity information was simply to purchase the individual’s driving record from the local DMV. For a few dollars, anyone could obtain a driver’s full name, address, birth date and license number, which in many states was the same as the individual’s SSN. Thus, the DMV served as a one-stop shop for the would-be identity thief. In 1989, actress Rebecca Schaeffer was stalked and murdered by a fan who allegedly retrieved her name and address from the California motor vehicle department. Her death inspired the passage of the "Driver's Privacy Protection Act of 1994" as an amendment to the Omnibus Crime Act of 1994. Statutory provisions The Act prohibits state departments of motor vehicles (DMVs) and others to whom the DMVs provide information from disclosing a driver's personal informationThe term "personal information" is defined as information that identifies an individual, including an individual's photograph, Social Security number, driver identification number, name, address, telephone number, and medical or disability information, but does not include information on vehicular accidents, driving violations, and driver's status. without the driver's consent. DMVs that violate the Act are subject to civil penalties. Under the Act, personal information contained in a motor vehicle record may be disclosed for use by any government agency, including any court or law enforcement agency, in carrying out its functions, or to any private person or entity acting on behalf of a Federal, State, or local agency; and for use in connection with any civil, criminal, administrative, or arbitral proceeding in any Federal, State, or local court or agency or before any self-regulatory body, or pursuant to a Federal, State, or local court order. The Act requires that the driver consent before the state discloses most of this information, but permits disclosure of the 5-digit zip code and "information on vehicular accidents, driving violations and driver's status." The Act provides a number of exceptions, including information required to control emissions, driver safety, thefts, recalls, verifying personal information submitted to a business, and insurance. The private parties that receive this information are also authorized to disclose it to others for the same purposes. And "a private actor who has obtained drivers' information from DMV of Motor Vehicles records specifically for direct-marketing purposes may resell that information for other direct-marketing uses, but not otherwise."18 U.S.C. §2721©. The broadest of all the exceptions to the Act are the so-called "opt-out provisions" found in Sections 2721(b)(11) and (12). These provisions permit a state to disclose personal identification information to any individual or business so long as the state provides license holders written notice that includes a clear opportunity to opt-out.Angela R. Karras, "The Constitutionality of the Driver’s Privacy Protection Act: A Fork in the Information Access Road," 52 Fed. Comm. L.J. 125, 131 (1999). While numerous states have enacted statutes with disclosure prohibitions as strict or stricter than the DPPA's default standard, the majority of states have enacted a variety of opt-out laws which allow drivers to choose different levels of confidentiality.Id. at 132-33. 2000 Amendment In 2000, the Act was amended to create a new class of "highly restricted personal information." This includes an individual's photograph or image, social security number, and medical or disability information. This information may not be shared without the express consent of the person to whom the information applies, except for four purposes stated in the Act. Remedies Violation of the DPPA exposes both states and individuals that do not comply with its requirements to sanctions. One of these provides that "a state agency that maintains a 'policy or practice of substantial noncompliance' with the Act may be subject to a civil penalty imposed by the United States Attorney General of not more than $5,000 per day of substantial noncompliance."18 U.S.C. §2723(b). In July 2013, the Court of Appeals for the Second Circuit determined that data brokers could be liable for the use of personal information that they obtain from state departments of motor vehicles and sell to others. The court held that the Act imposes a duty on resellers to exercise reasonable care in responding to requests for personal information drawn from motor vehicle records.Gordon v. Softech, Int'l, Inc., 726 F.3d 42 (2d Cir. 2013). Constitutionality In 2000, the U.S. Supreme Court upheld that constitutionality of the Act in Reno v. Condon. References Category:Legislation Category:Legislation-U.S.-Federal Category:Legislation-U.S.-Privacy Category:Privacy Category:1994